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— A method for providing local security of audio and video 
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rebundling the keys required for descrambling, e.g., the TDES keys, into a new ECM 
(LECM), which is protected by a local public key. 
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A GLOBAL COPY PROTECTION SYSTEM FOR DIGITAL HOME NETWORKS 



Field of the Invention 
This invention provides locai security of audio and video content during 
transmission and storage within digital home networks. Scrambled content may 
be recorded in ail conditions, however, only authorized copies are processed for 
descrambling and viewing. 

Background of the Invention 
Copyright owners and content creators, such as movie studios and 
production companies, have a need for protecting their investment, for example, 
movies, programming, services, software, or the like. Such content has typically 
found its way to the consumer through network broadcasts, premium 
programming cable or satellite channels, pay-per-view events, and retail sales and 
rentals of videocassettes. 

Analog videocassette recorders (VCRs) allow consumers to view content 
at their convenience. Fortunately, such analog VCRs produce a reduction in 
quality of each generational recording that the second or third generation is 
usually unacceptable to most viewers. However, with digital technology, the 
intrinsic generational degradation characteristic of the analog technology no 
longer exists. The nature of digital storage and transmission allows endless 
generations of copies to be produced with the same quality as the original 
master. Today, most products that receive digital video services have only 
analog outputs. Future products with digital outputs will allow for the 
convenience of networked systems and higher quality recording. A home 
network, which receives content for display and storage, must now also protect 
content against illegal copying or distribution. 

The Draft Video Home Recording Act of 1996 defines the Copy 
Generation Management System (CGMS) as a mechanism to manage the creation 
of copies, not the viewing of those copies. The rights of copyright owners do 
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not map nicely into the concept of CGMS. Indeed, copyright owners have a 
greater interest in controlling the actual viewing of materia! as opposed to the 
copying of the material. Today, even using industry standard analog copy 
protection techniques, the emphasis is placed on the individual ability to view the 
copy. This is different from constraining the copying device from actually 
creating that copy. 

These issues are exasperated due to the dramatic developments in digital 
media distribution such as the Internet. Therefore, there is a need to provide a 
secure solution for protecting the intellectual property of the copyright owners. 

Summary of the Invention 
The present invention resides, in part, in recognition of the described 
problem and, in part, in providing a solution to above problems. Generally, the 
present invention provides a method for managing access to a scrambled 
program content. The invention protects content within a network by rebundiing 
the keys required for descrambling, e.g., the TDES keys, into a new ECM (known 
as an LECM). This method may comprise receiving a scrambled program (e.g., a 
scrambled data component and a descrambling key) in the first device, and 
rebundiing the descrambling key using a unique key associated with the first 
device. The descrambling key is obtained from the rebundled descrambling key 
in a second device and used for descrambling the scrambled data component. 

In accordance with one aspect of the present invention, the descrambling 
key is encrypted and the step of rebundiing comprises decrypting the encrypted 
descrambling key using a key associated with the scrambled program and re- 
encrypting the descrambling key using a key associated with the first device to 
produce the rebundled descrambling key (i.e., LECM). 

In accordance with another aspect, the present invention provides a 
method for managing access, within a network, to a scrambled program received 
from a service provider. The encrypted descrambling key associated with the 
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scrambled program is decrypted in the access device using a key associated with 
the service provider and then the key is re-encrypted using a public key 
associated with said access device. The presentation device decrypts the re- 
encrypted descrambling key and descrambles the scrambled data component 
using the descrambling key. This invention may also be utilized for managing 
access to a scrambled pre-recorded program. 



In accordance with yet another aspect, the present invention provides a 
method for recording a scrambled program received from a service provider. The 

10 method comprises receiving the scrambled program and decrypting the encrypted 
descrambling key in the access device, which in this case may be a video 
recording device, using a key associated with the service provider. The 
descrambling key is re-encrypted using a public key associated with the access 
device. The recording device records the scrambled data component and the re- 

15 encrypted descrambling key on media coupled to the recording device. 

Brief Description of the Drawings 
Figures 1 a and 1 b are system block diagrams of the XCA architecture in 
accordance with the present invention; 
20 Figure 2 is a block diagram of a generic XCA device employed in the XCA 

architecture of Figure 1 ; 

Figure 3 illustrates a model for distributing the public and private keys in 
accordance with the invention of Figure 1 ; 

Figure 4 is a block diagram illustrating the generation of an LECM in 
25 accordance with the invention of Figure 1 ; 

Figure 5 is a block diagram illustrating the flow of content in accordance 
with the invention of Figure 1 ; 

Figure 6 is a schematic diagram illustrating the protection of the NRSS 
interface in accordance with the invention of Figure 1 ; and 
30 Figures 7 and 8 are schematic diagrams for creating secure authenticated 

links in accordance with the invention of Figure 1 . 
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Where applicable, the same element numbers were used throughout these 
figures. 

Detailed Description of the Drawings 
A global protection system for digital home networks, also known as 

5 extended conditional access, or XCA, is defined in this application. XCA is a 
replaceable copy protection system designed to be used with renewable security 
devices such as smart cards. The Consumer Electronics Manufacturers 
Association (CEMA) has established 3 standards for interconnecting a digital 
television with other devices; (1) EIA-775 - Digital Television 1394 Interface; (2) 

10 EIA-761 - 8-VSB Remodulator Interface; and (3) EIA-762 - 16 VSB Remodulator 
Interface. E1A-761 and EIA-762 are one-way transmission interfaces while EIA- 
775 supports bi-directional communications. Although XCA can be successfully 
employed with any of these interconnection standards, it is not limited to these 
three standards. 

15 

The flow of information is primarily one-way in an XCA system. Content 
flows from the source to the display maintaining its original scrambling. Because 
the content is chain protected instead of link protected, there is no need for 
consecutive links to negotiate or establish keys. All information flows strictly 
20 from the source device to the sink device, that is, always toward the 
presentation device (typically a digital television (DTV) or set-top box in 
combination with a television) for final viewing. 

The following definitions are used to describe the present invention, 
25 Encryption or scrambling is the process of transforming plaintext into ciphertext 
(i.e., E C ,JM]; the message M is encrypted with cipher algorithm C using key K); 
decryption or descrambling is the reverse process. Conventionally, encryption 
and decryption are used when discussing control words or keys, and scrambling 
and descrambling are used when discussing audio/video content. A control word 
30 (CW) is the key used to scramble and descramble audio/video content. A 

cryptosystem is a system for achieving confidentiality, an information security 
objective. 
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In a symmetric cryptosystem, the encryption and decryption keys are the 
same or can easily be determined from each other. In an asymmetric or public 
key cryptosystem, the encryption and decryption keys differ in such a way that 

5 at least one key is computationally difficult to determine from the other. 

Although the two keys are mathematically related, it is not possible to derive the 
private key with reasonable computational resources. As described below in 
further detail, each access device contains a unique public key for the purposes 
of locally encrypting the descrambiing keys (LECMs). This unique public key is 

10 either stored in the access device during manufacturing or sent from a 

conditional access (CA) server when the access device is initialized in the field. 
During initialization, as described below in further detail, the access device may 
contact the CA server to obtain the unique public key using the identification of 
the access device. 

15 

Particularly, XCA protects the digital MPEG-2, or equivalent, encoded 
audio/video (A/V) content during transmission and storage. This is accomplished 
by mapping the three basic controls, namely, "playback control", "record control" 
and "one-generational control" into "viewing control". With XCA, content of 
20 economic value is always scrambled, either under the control and responsibility 
of the distributor or within the confines of the consumer's home network. The 
recording of scrambled content is always permitted in all conditions, however, 
only authorized copies are processed for descrambiing and viewing in licensed 
devices. 

25 

XCA addresses the two critical elements for viewing control: time and 
space. Viewing control over time provides a mechanism to regulate when 
content can be viewed today or in the future. Viewing control over space 
regulates where and who may view this material. Together, these domains span 
30 a complete viewing space giving the copyright owner full controls over how 
content should be distributed and used. 
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XCA provides for three levels of entitlements. First, content that is free to 
distribute in an unlimited fashion is "free-copy" content. Examples of "free- 
copy" content may be broadcast television, infomercials or similar material that is 
supported by advertisers. Local View Programming, or "copy-once" content, 

5 provides a single household the ability to create and view a copy regardless of 
time. However, such a copy cannot be transported to other local networks 
because an LECM generated in one network cannot be decrypted in another local 
network. Examples of this type of content may be sporting events or premium 
services. Finally, "never-copy" or Immediate View Programming content allows 

10 for only the real-time viewing, i.e., recorded copies will never be viewable. 
Examples of this type of content may be pay-per-view programming or other 
high-value content. 



Figures 1 a and 1 b illustrate a distinct characteristic of the XCA 
15 architecture 10, that is, the notion of conditional access and local protection. 
Content of economic value 1 1 whether from a tape, DVD, cable, satellite or 
terrestrial broadcast is usually delivered via a private conditional access service. 
The audio/video content and keys are protected and supplied to all the 
subscribers of the service using a private conditional access architecture, 
20 Subscribers who purchase content are supplied with the necessary keys for 

descrambling the content. Access device 14, for example a set -top box, usually 
in conjunction with a smart card, obtains or generates the keys for descrambling 
the video content. In the XCA architecture, this is the process of conditional 
access. Local protection is the protection of the content within the boundaries 
25 of the home network, after the access device receives the scrambled program 
from the service provider. 



In general, a consumer electronic (CE> device 20 ("XCA device") employed 
within XCA architecture 10 is defined in Figure 2. Such a device has, at a 
30 minimum, a switching unit 22 and a digital input 24. Depending on the device 
type, it may also contain one or more of the following elements; a security 
device 26 (typically renewable), storage unit 28, an analog output 30 and/or a 



SUBSTITUTE SHEET (RULE 26) 



WO 00/56068 PCT/US00/06834 

7 

digital output 34. Certain device types are defined with specific functionality, for 
example, (1) XCA Access Device 14 (e.g., set-top box, DVD player, DTV) 
creates "XCA protected content", (2) XCA Presentation Device 16 (e.g., DTV) 
descrambles "XCA protected content", (3) XCA Recording Device 18 (e.g., 
5 DVHS or DVD recorder) only stores or plays but cannot create or descramble 
"XCA protected bit streams". 

Access devices typically operate in combination with an XCA/NRSS 
Converter Card (see 26a of Figure 5). The XCA/NRSS converter card creates 

10 XCA protected content from private conditional access (CA) protected content or 
XCA globally protected content. Presentation devices, such as DTV 1 6, operate 
in combination with an XCA/NRSS Terminal Card (see 26b of Figure 5) for 
descrambling XCA protected content. If a DTV is used as an access device as 
wed as a presentation device, the DTV may operate with both a converter card 

15 26a and a terminal card 26b or the functionality of both may be integrated into 
one card. 

The XCA architecture can handle (1 ) clear content that is not protected by 
any means, e.g., broadcast programs, (2) CA content that is scrambled by a CA 

20 system using ECMs to carry the control words (CWs), e.g., digital satellite or 
cable services, (3) XCA content that is scrambled by XCA using Local ECMs 
(LECMs) to carry the CWs or keys (the LECMs are encrypted using the public key 
associated with access device 16), and (4) NRSS content that is scrambled by 
the XCA NRSS copy protection scheme. In addition, XCA content that is 

25 scrambled using Universal ECMs (UECMs) to carry the CWs may also be 

processed by this system. UECMs are encrypted using one unique global public 
key common to all networks and may be used, for example, for pre-recorded 
content. 

30 The typical functions of an XCA device of Figure 2 are described below. 

The digital input 24 comprises all the circuitry and software needed to acquire a 
digital signal. The digital input may be of the form of a digital bus (e.g., IEEE 
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1394), a teico, a LAN, RF VSB/QAM or the like. Similarly, the digital output 34 
comprises all the circuitry and software needed to provide a digital signal and 
may be of the form of a digital bus (e.g., IEEE 1 394), a telco, a LAN, RF 
VSB/QAM or the like. 

5 

Security device 26, whether renewable such as an NRSS card or 
embedded within a host device 20, handles CA functions and XCA functions and 
is able to transform the type of the content. Security device 26 may only be 
connected to a single XCA device at any one time and provides transformed 
10 content. The below table summarizes the permitted transformations. 



Signal in \ Signal Out 


Clear 


CA 


XCA 


NRSS 


Clear 


Yes (TO) 


No 


No 


No 


CA 


Yes <T4) 


Yes (TO) 


Yes ( T1 ) 


Yes ( T2) 


XCA 


Yes (T5) 


No 


Yes (TO) 


Yes ( T3) 


NRSS 


No 


No 


No 


Yes (TO) 



The following transformations are applicable for both removable and embedded 
security devices: 

15 

TO is the identity transformation, i.e., the output stream is exactly equal to 
the input stream. This allows card chaining. 

T1 If the user has the right CA entitlements, then the security device 
20 recovers the CWs, and descrambies the content. It then generates the 

TDES keys, re-scrambles the content, and encrypts the LECMs using its 
public key. If the content source is an ATSC compatible system (i.e., 
TDES scrambling), descrambling may not be needed. 

25 T2 If the user has the right CA entitlements, then the security device 

recovers the CWs, and descrambies the content. It then re-scrambles the 
content following the requirements of the XCA NRSS interface protection 
system, described below in further detail. The CA provider defines this 
transformation. 
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T3 If the user has the right XCA entitlements, then the security device 
descrambies the content using the CWs of the LECMs. it then re- 
scrambles the content following the requirements of the XCA NRSS 
interface protection system. 

The following two transformations oniy apply to embedded security devices: 

T4 If the user has the right CA entitlements, then the security device 
recovers the CWs, and descrambies the content. The CA provider defines 
this transformation. 

T5 If the user has the right XCA entitlements, then the security device 
descrambies the content using the CWs of the LECMs. 

A converter card supports at least transformation T1 and a terminal card 
supports at least transformation T3. In addition to the above requirements, if 
security device 26 is renewable and is capable of non-volatile storage of program 
content, then its storage shall not accept NRSS content. If security device 26 
transforms content (e.g., scrambles/re-scrambles content or encrypts/reencrypts 
LECMs ) then it shall conform to NRSS-A or NRSS-B. Finally, if security device 
26 needs NRSS interface protection 35, then it shall use the XCA NRSS interface 
protection system, as referenced in EIA-679B (described below in further detail). 

Storage unit 28 may either be fixed such as a hard drive or removable 
such as a recordable DVD, DVHS tape or the like. Storage unit 28 stores clear or 
XCA content and is able to replay the content later when requested by the 
system. That is, storage unit 28 is able to read, and optionally write, content; it 
does not transform the type of the content. 

Presentation device 16, if necessary, descrambies 35 the NRSS copy 
protection stream and then decodes 36 the MPEG2 content . The descrambled 
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and decoded content is then presented to the user in an analog form by passing 
the content through digital-to-anaiog converter 38. The final outcome may be a 
physical signal such as a TV display or analog output of a hi-fi amplifier. 
Presentation device 16 may have one or more analog outputs, or uncompressed 
5 digital outputs. In these cases, the output is protected by the relevant copy 
protection system. 

Switching unit 22 routes content within the XCA device. Its function is 
limited to routing only; it does not transform the type of the content. The 
10 following table defines the different routing options depending on content format. 



Source \ Sink 


Digital Output 
34 or 
Storage 
Device 28 


Security Device 
26 

(removable or 
embedded) 


Presentation 
Device 16 


Digital Input 

24 or 
Storage 
Device 28 


Clear 


Yes 


Yes 


Yes 


Scrambled 


Yes 


Yes 


NA 1 


NRSS 


No 2 


No 2 


No 2 


Security 
Device 26 
(removable or 
embedded) 


Clear 


Yes 


Yes 


Yes 


Scrambled 


Yes 


Yes 


NA 1 


NRSS 


No 


Yes 3 


Yes 



1 Sending scrambled content to the presentation unit has no meaning. The 
15 presentation unit is incapable of descrambiing the data, and thus cannot make 
any use of it. 

2 NRSS data should not be accepted by digital input or storage units. Thus it 
cannot be sent to other parts of the device. 

3 NRSS data can be passed from one security device to another only for the 
20 purposes of 'daisy chaining'. The content can be passed through subsequent 

devices in the chain, but the keys (or NRSS CP secrets) must not be disclosed to 
any other device (including security devices). 
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Before accepting a public key used for generating the LECM {i.e., 
rebundling of the ECM), an access device must be assured it is getting a public 
key that is legitimate, that is one generated by an authorized entity. Certification 
is one way of providing this assurance. Access devices shall only provide XCA 
5 content using a certified public key. A public key certificate is a signed message, 
which associates the public key with an originating entity. 

A unique local public/private key pair is assigned to security device 26 
employed in the XCA architecture. There are two types of security devices: 
10 devices with a converter module and devices with a terminal module. Every 

converter and terminal module may be assigned a unique 64-bit identification and 
a unique RSA public/private key pair of 1024-bit length. 

The model for distributing the public and private keys for the converter 
15 modules is illustrated in Figure 3 wherein a Trusted Third Party (TTP), the CA 
provider itself or an independent organization, generates and keeps a copy of 
public/private keys in a database. The public key has to be in the converter 
module of the security device associated with the access device before any 
conversion takes place. The corresponding private key is downloaded to the 
20 terminal module when requested. 

There are two modes for distributing public keys: 

• Off-line mode: In this mode, a set of XCAJDs is delivered to the card issuer 
or card manufacturer. Each ID is paired with the corresponding public key. 

25 The card issuer or the card manufacturer stores this information in the 
security device in a way to ensure its integrity. 

• On-line mode: In this mode, only the XCAJDs are delivered to the card issuer 
or card manufacturer. The XCAJD is stored in the security device in a way 
to ensure its integrity. When first used in the field, the converter module 

30 requests its public key from the TTP. The transfer is made using the secure 
authenticated channel defined by the CA provider. 
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The TTP delivers the private key of a given converter module to a terminal 
module only in response to the request of this terminal module. The transfer 
shall use the secure authenticated channel defined by the CA provider. The 
terminal module shall ask for a private key of a given converter module when it 

5 receives a LECM from an unknown converter module. A converter module issues 
such a LECM at least at the beginning of each session. A session begins every 
time the access device delivers a content to a presentation device. The TTP has 
the responsibility to monitor the requests in order to detect malicious requests. 
The security policy associated with this task is determined by the CA provider as 

10 part of his risk analysis. 

The communication between the converter/terminal modules 26a and 26b 
and the TTP will be under the control of the CA provider operating the XCA 
system. The TTP will select and implement appropriate communication channels 

15 and message protocols needed for key distribution. In implementing the XCA 
system, the CA provider may choose a particular communication channel or a 
private message protocol. The CA providers will need to collaborate and 
exchange data to ensure the interoperability of security devices in home 
networks. This need may arise if, for example, a converter card and a terminal 

20 are provided by different CA providers. When the terminal card requests the 
private key belonging to the converter card from the TTP, the TTP will have to 
obtain it from the CA provider that owns the converter card. 

The keys for content descrambling are rebundled in LECMs by access 
25 device 14. That is, the encrypted ECMs, which carry the descrambling keys, are 
decrypted by access device 1 4 and then re-encrypted using a local public key 
associated with the access device to produce the LECM. Particularly, XCA 
system 10 achieves local security by only descrambling the content when it is to 
be viewed, for example, in conjunction with the local presentation device (e.g., 
30 digital television) 1 6. Private conditional access protects the transmission of the 
content from the service provider (i.e., tape, DVD or broadcast 1 1) to the user's 
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access device 1 4. The XCA architecture protects the content in the local 
network. 



Particularly, XCA operates on the philosophy that content should be 
5 encrypted at all times, including distribution and storage. Consider, for example, 
the delivery of premium programming from a multi-program video provider. 
Content is scrambled as it enters the home. The provider's private CA system is 
responsible for making available the content to the consumer according to the 
entitlements that have been agreed upon. In an ATSC-compliant digital delivery 
10 systems, the program is MPEG compressed and scrambled using the triple DES 
{TDES} algorithm. The keys for descrambling the program are contained in 
Entitlement Control Messages (ECMs) which themselves are encrypted in some 
private and unknown fashion. A consumer entitled to view the program must be 
handed either the descrambled transport stream or a scrambled transport stream 
15 with the keys necessary for descrambling when viewed. The first case does not 
provide for the protection of content. 



As shown in Figure 4, XCA protects the content on the local network by 
rebundling (i.e., ECM translation) 42 the keys required for descrambling (i.e., the 

20 TDES keys) into a new ECM which is protected by a local public key associated 
with the access device (i.e., LECM). This process is typically performed in 
access device 14 and preferably in security device 26. In this fashion, the only 
device capable of recovering the TDES keys and hence descrambling the MPEG 
program is the local presentation device, e,g., DTV. Because every local network 

25 contains a unique set of public/private key pairs, only the local system which 
recorded or viewed the original content is capable of viewing any copies derived 
from its local network distributed content. Even if a rogue device making non- 
legitimate and unauthorized copies exists, they are viewable only within the local 
network. 

30 

The flow of content with the XCA domain is further explained using Figure 
5. The CA and XCA functionality can be optionally removed from the access 
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device and placed in a special security device 26, known as a converter card 
26a. Likewise, a terminal card 26b can optionaify assume the CA, XCA and 
NRSS functionality (i.e., the security aspects) of presentation device 16. 
Particularly the flow of content within the XCA domain involves passing 

5 incoming CA content from access device 1 4 to CA module 44 of security device 
26a. CA module 42 recovers the control words (CW) or keys for the CA content 
and passes the CWs to converter module 46 which generates the necessary 
LECM. Converter module 46 passes XCA protected content back to access 
device 1 4 which in turn passes the XCA protected content to presentation 

10 device 1 6. The XCA protected content is passed to security device 26b r 
particularly to terminal module 50 via CA Module 48. Terminal module 50 
recovers the CW from the LECM and descrambles the XCA protected content. 
The clear content is now passed to NRSS CP module 52; both the NRSS CP 
module 52 and presentation device 1 6 participate to generate the scrambling 

15 key. The scrambling key is usually a symmetric key, but other approaches using 
a public key may be employed. The functionality of NRSS CP module 52 is 
shared by security device 26b {represented as 52a) and presentation device 16 
(represented by 52b). NRSS CP module 52 scrambles, preferably using DES, the 
content using this scrambling key and then passes the scrambled content to 

20 NRSS CP module 52b in presentation device 36. NRSS CP module 52b 
descrambles the scrambled content for display. 

In XCA systems, both real-time and pre-recorded content remains 
scrambled throughout the system. The XCA presentation device 1 6 using the 

25 copy protection system as defined by EIA-679 and EIA-796 accomplishes final 
descrambiing. in this fashion, copy protection management is provided end-to- 
end, that is, from the source of scrambling to the final viewing display. As is 
illustrated in Figure 6, XCA protects the NRSS interface by rescrambling the 
content using single DES with keys generated randomly between the 

30 presentation device and the NRSS card. Known as the Diffie-Hellman key 

agreement, this protocol ensures a third party cannot recover the keys simply by 
tapping the smart card interface. 
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Particularly, the protection of the NRSS interface is based on three primary 
principles. Firstly, restricting the devices that may receive copy protected data 
by requiring a license. Secondly, scrambling data and protecting the keys so 
5 those passive devices cannot record signals and decode a clear bit stream. 
Finally, coupling the host presentation devices and terminal cards and 
authenticating the host devices so those active devices to record bit streams are 
difficult to create. 

10 Therefore in general, the procedure for establishing an XCA protected 

NRSS link involves: (1) authenticating the presentation host device, (2) 
establishing a shared secret key that is unique to a particular presentation 
device/terminal card pair, (3) creating content protection keys (e.g., shared keys) 
in real time, (4) scrambling content returning to the host (e.g., DTV) with DES, 

15 and (5) descrambling content received by the host. These steps are illustrated in 
Figure 6. 

Every XCA presentation device will be manufactured with a unique ID. 
This ID can be used to identify the manufacturer and a specific XCA presentation 
20 device. These ID's are warranted by the manufacturer to be unique, but are not 
certified or secure in any way. This allows a host to be uniquely identified for 
the purpose of security, yet makes device revocation virtually impossible to 
manage. Forging an apparently valid ID is very simple, but security methods 
outlined below eliminate any significant value in doing so. 

25 

NRSS based terminal cards can create a secure authenticated link with a 
presentation device by communicating with a trusted third party (TTP). Either 
the device ID or the model and serial number can be used to get the correct DH 
public key for a given host. In this scheme, as illustrated in Figure 7, the 
30 ID/serial number is sent to the TTP (steps 1 and 2). The TTP queries its 

manufacturers database for this host (step 3), determines the correct public key 
for this XCA Presentation Device (step 4), and sends some private authentication 
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to the CA module via a secure channel (step 5). Alternatively as illustrated in 
Figure 8, the card can request the public key from the host device (step 1) and 
send it to the CA head-end or TTP for authentication and storage (step 2). Many 
feasible communications messages and channels exist. Possibilities for 
5 communications channels are phone lines, return path communications, sending 
an EMM over a distribution network, or even shipping a physical unit. 



The only devices allowed to use the XCA NRSS copy protection system 
outlined here are devices that do not have (1) a digital input that can receive data 
io from the NRSS interface or (2) any means for mass storage that can receive data 
from the NRSS interface. 



A shared secret shall be established between any given pair of a 
presentation device and a terminal card. At the terminal card's option, a single 

15 shared secret value can be used for al! sessions, or, if additional security is 

desired, a new-shared secret can be created for each session. The procedure for 
secret creation is outlined in the copy protection framework for NRSS (EIA-679B 
part A section 20.3, or part B section 8.9.3). Control words for protecting 
content travelling across the NRSS interface shall be created according to the 

20 NRSS standard (EIA-679B part A section 20,5, or part B section 8.9.5). 



The interval for updating NRSS content scrambling keys is the same as the 
interval for updating content scrambling keys in local network packets. The 
update rate in local network packets can be found using 

25 source_sequence_number in section. At each new source_sequence_number, a 
new NRSS key should be put into use. If the new key is the EVEN key in a 
negotiated pair, then a new negotiation should be started at the same time the 
new key is used. If this negotiation does not conclude before the next increment 
to sourcesequencenumber, then the terminal card should stop providing NRSS 

30 content because the host is not behaving properly. This requires that hosts (and 
cards) must be able to complete the key negotiation in less than 900mS. 
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Content being scrambled for protection over the NRSS interface shall 
conform to the NRSS standard (EIA-2679B part A sections 20.5.3 and 20.5.4, 
or part B sections 8.9.5.3 and 8.9.5.4). All packets in the main video stream 
and primary audio streams (that are actively in use) shall be scrambled. 

XCA uses EIA-679A copy protection Format #1 with the below-defined 
field sizes. 



datatype id 


id value 


Size (bytes) 


Host id 


05 


8 


N host 


07 


8 


N module 


08 


8 


Host DH Public Key 


13 


96 


Module DH Public Key 


14 


96 


CCI 


18 


8 



All the CA systems that will be used in ATSC broadcast systems are 
10 assigned unique CA_system_IDs. Likewise, XCA uses a unique CA_system_ID to 
perform local conversion. The value chosen for XCA is 0x1 180. The 
broadcasters shall include this ID in their list of CA providers. During the 
transmission of content, an unused PID shall be allocated for XCA LECMs. Each 
program that needs to be converted to XCA shall appear in a PMT, which 
15 includes the XCA_system_ID pointing to the allocated LECM PID. Empty packets 
with the LECM PID do not need to be inserted in the broadcast transport stream 
as the CA ECMs will be replaced by LECMs in the conversion process. 

The MPEG2 transport stream consists of transport packets as shown 

below. 

Syntax No. of bits Mnemonic 

MPEG2_transport_stream() { 
do { 

transportpacketO 
} while (nextbitsO = = sync_byte) 

J 

20 1 

Transport packets that are protected under XCA security are scrambled 
using Triple-DES, as per ATSC specifications on conditional access. The PIDs 
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carrying both non-local ECMs and local ECMs (LECMs) shall be specified by the 
Program Map Table defined in the MPEG2 standard. 

The local ECM tables shall be packet aligned with the syntax defined 

5 below. 



Syntax 


No. 

of 

bits 


Mnemonic 


LECM_transport_packet{) { 






syncjsyte 


8 


bsibf 


transport_errorjndicator 


1 


bslbf 


payloadjjnit^startjndicator 


1 


•v 


transport priority 


1 


bslbf 


PID 


13 


uimsbf 


transport_scrambling_control 


2 


'00' 


adaptation_field_control 


2 


'01' 


continuitycounter 


4 


uimsbf 


pointer_field 


8 


uimsbf 


f or (i = 1 ; i < 1 84; i + + ) { 






data byte 

{ 

} 


8 


uimsbf 



wherein: 



syncbyte — A fixed 8-bit field whose value is '0x47'. 

transporterrorjndicator — A 1-bit flag. When set to "T, it indicates that there 

io is at least one uncorrectable bit error in the packet. 

payload unit startjndicator — This 1-bit flag shall be set to "T, and the first 
byte of the payload of this transport stream packet shall carry a pointer_field. 
transportpriority — A 1-bit flag. When set to "T, it indicates that the packet is 
of greater priority than the other packets having the same PID which do not have 

15 the bit set to '1'. 

PID — A 1 3-bit packet identifier. 

transport scrambling control — This 2-bit field shall be set to '00 f , meaning that 
the packet is not scrambled at the transport level. 
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adaptation field control — This 2-bit field shall be set to '01 ', meaning that there 
is no adaptation field following the transport stream packet header, 
continuity counter — A 4-bit field that increments with each transport stream 
packet with the same PID, It wraps around to 0 after it reaches its maximum 
5 value. 

pointer field — This 8-bit field contains the number of bytes, immediately 
following the pointer field until the first byte of the first section that is present in 
the payload of the transport stream packet. A value of 0x00 indicates that the 
section starts immediately after the pointer field. 
10 data_byte — Contiguous 184 bytes of data from Local Entitlement Control 
Message sections or packet stuffing bytes after Local Entitlement Control 
Message sections. Packet stuffing bytes of value OxFF may be found after the 
last byte of a section. In this case, all following bytes until the end of the packet 
shall also be stuffing bytes of value OxFF. 

15 

The Local Entitlement Control Message may comprise one or more 
sections each of, which may be variable in length. The LECM may comprise at 
least the (1) the XCA device identification of the security device that generated 
the LECM r (2) copy control information which may be used to enforce viewing 
20 rights, and (3) the descrambling keys. 



While the invention has been described in detail with respect to numerous 
embodiments thereof, it will be apparent that upon reading and understanding of 
the foregoing, numerous alterations to the described embodiment will occur to 
25 those skilled in the art and it is intended to include such alterations within the 
scope of the appended claims. 
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CLAIMS 



1. Method for managing access, within a network comprising a first device 

interconnected 
to a second device, to a scrambled program comprising: 
5 (a) receiving said scrambled program in said first device, said scrambled program 

comprising a scrambled data component and a descrambling key; 

(b) rebundling, in said first device, said descrambling key using a unique key 
associated with said first device; 

(c) receiving, in said second device, said scrambled data component and said 
1 0 rebundled descrambling key; 

(d) obtaining in said second^device^said descrambling key from said rebundled. 
descrambling key; and 

(e) descrambling, in said second device, said scrambled data component using said 
descrambling key. 



2. The method of Claim 1 , wherein said descrambling key is encrypted and the step of 
rebundling comprises: 

(a) decrypting said encrypted descrambling key using a key associated with said 
scrambled program; and 

20 (b) re-encrypting said descrambling key using said unique key associated with said 

first device to produce said rebundled descrambling key. 

3. The method of Claim 2 wherein said unique key associated with said first device is a 
public key, said public key being located in said first device and a corresponding private key 

25 being located in said second device. 



4. The method of Claim 2 wherein the step of rebundling is performed within a first 

smart 

card coupled to said first device and the steps of decrypting and descrambling are performed 
SO within a second smart card coupled to said second device. 
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10 



5. The method of Claim 1 further comprising the step of initializing said first device 
within 

said network. 

6. The method of Claim 5 wherein the step of initializing comprises the step of receiving 
said 

public key from a conditional access provider, said step of receiving comprising 
authentication of said conditional access provider. 



_The method of Claim 5 wherein said public key_is_prestored is one of said smart card 
and 



% said access device. 

T 15 8. The method of Claim 1 wherein said descrambling key is one of encrypted using a 

% private 

Q means if said scrambled program is received from prerecorded media and protected by a 

l** s private means if said scrambled program is received from a service provider. 

20 9. Method for managing access to a scrambled program comprising: 

(a) receiving, from a first device, said scrambled program comprising a scrambled 
data component and a rebundled descrambling key encrypted using a network 
key; 

(b) decrypting, in said second device, said rebundled descrambling key to generate 
25 said descrambling key; and 

(c) descrambling, in said second device, said scrambled data component using said 
descrambling key. 
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10. Method for managing access to a scrambled program received from a service provider 
within a network having an access device and a presentation device, said method 
comprising: 

5 (a) receiving said scrambled program in an access device, said scrambled program 

comprising a scrambled data component and an encrypted descrambling key; 

(b) decrypting, in said access device, said encrypted descrambling key using a key 
associated with said service provider; 

(c) re-encrypting said descrambling key, in said access device, using a public key 
10 associated with said access device; 

(d) . - ^receiving,- in said presentation device, said scrambled data^component and said 

re-encrypted descrambling key; 

(e) decrypting, in said presentation device, said re-encrypted descrambling key to 
obtain said descrambling key; and 

15 (0 descrambling, in said presentation device, said scrambled data component 

using said descrambling key. 

11. The method of Claim 9 wherein said scrambled program is prerecorded on media and 
provided to said access device, said encrypted descrambling key being received from 
said prerecorded media. 

20 

12. Method for recording a scrambled program received from a service provider, said 
method 

comprising: 

(a) receiving said scrambled program in an access device, said scrambled program 
25 comprising a scrambled data component and an encrypted descrambling key; 

(b) decrypting, in said access device, said encrypted descrambling key using a key 
associated with said service provider; 

(c) — re^encrypting said descrambling key, in said access devicerusing a public key 

associated with said access device; 
30 (d) receiving, in a recording device, said scrambled data component and said re- 

encrypted descrambling key; and 
(e) recording said scrambled data component and said re-encrypted descrambling 
key on media coupled to said recording device. 
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13* The method of Claim 12 wherein said scrambled program is prerecorded on media. 

14. The method of claim 1, wherein the first device is an access device and wherein the 
second device is a presentation device. 

15. A method for transforming in a security device, content information contained in a 
scrambled program received from a service provider comprising: 

receiving in said security device the scrambled program containing scrambled 
content information and a control word; 



descrambling the_scrambled content in the security device using the control 

word; 

generating in the security device another scrambling key; 
re-scrambling the content using said another scrambling key; and 
15 encrypting a local ECM containing the re-scrambled content using a unique 

key. 

16.The method of claim 15, further comprising determining user entitlement to the scrambled 
program prior to descrambling the scrambled content. 
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applications, material information which became available between the filing date of the prior application and the national or PCT 
international filing date of the continuation-in-part application. 



I hereby claim foreign priority benefits under 35 U.S.C. 1 19(aHd) or 365(b) of any foreign application(s) for patent or inventor's certificate, 
or 365(a) of any PCT international application which designated at least one country other than the United States of America, listed below 
and have also identified below, by checking the box, any foreign application for patent or inventor's certificate, or of any PCT international 
application having a filing date before that of the application on which priority is claimed. 



Prior Foreign Application 
Number(s) 



Country 



Foreign Filing Date 
(MM/DD/YYYY) Country 



Priority 
Not Claimed 



Certified Copy Attached? 
YES NO 



□ 
□ 
□ 



□ 

o 
□ 



□ 
□ 
□ 



□ Additional foreign application numbers are listed on a supplemental priority data sheet PTO/SB/02B attached hereto: 
I hereby claim the benefit under 35 U.S.C. 1 19(e) of any United States provisional applications) listed below. 



ApplicationNumber(s) 



60/124,479 
60/124,480 
60/138,844 



Filing Date (MM/DD/YYYY) 



MARCH 15, 1999 
MARCH 15, 1999 
JUNE 10, 1999 



□ Additional provisional application 
numbers are listed on 
a supplemental priority data sheet 
PTO/SB/02B attached hereto. 
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Burden Hour Statement: This form is estimated to take 21 minutes to complete. Time will vary depending upon the needs of the individual 
case. Any comments on the amount of time you are required to complete this form should be sent to the Chief Information Officer U S 
Patent and Trademark Office, Washington, DC 20231. DO NOT SEND FEES OR COMPLETED FORMS TO THIS ADDRESS SEND TO* 
Assistant Commissioner for Patents, Washington, DC 20231 . 



Please type a plus sign {+) inside this box 



El 



Approved for use through 10/31/2002. OMB 0651 4)032 * ^ 
U.S. Patent and Trademark Office; U.S. DEPARTMENT OF COMMERCE 
Under the Paperwork Reduction Act of 1995, no persons are required to respond to a collection of information unless it contains a valid OMB control number 



DECLARATION — Utility or Design Patent Application 



Direct all correspondence to: □ Customer Number 

or Bar Code Label 



OR □ Correspondence address below 



Name 



^[QREPjH s. TRIPOLI, 



Address 



Address 



THOMSON MULTIMEDIA LICENSING INC. 



PO Box 531 2 



City 

PRINCETO N 
Country 

USA 



State 

NJ 



Telephone 

(609) 734-9875 



ZIP 

08543-5312 



Fax 

(609) 734 - 9700 



I hereby declare that all statements made herein of my own knowledge are true and that all statements made on information and belief are 
believed to be true' and further that these statements were made with the knowledge that willful false statements and the like so made are 
punishable by fine or imprisonment, or both, under 18 U.S.C. 1001 and that such willful false statements may jeopardize the validity of the 
application or any patent issued thereon. _____ 



NAME OF SOLE OR FIRST INVENTOR: 




□ A petition has been filed for this unsigned inventor 



Family Name ESKICIOGLU 
or Surname 



S£ QM~e£ srruw* -ZOU*y& 



Residence: City 
INDIANAPOLIS 



State 
INDIANA** 



Country 
US 



Date 



2S 7^ /o\ 



Citizenship 
TR 



Mailing Address 



Mailing Address 



8235 LAKESHORE TRAIL, APT. #125 



City 

INDIANAPOLIS 



State 
INDIANA 



ZIP 

46250-4607 



Country 
US 



NAME OF SECOND INVENTOR: 



a* 



□ A petition has been filed for this unsigned inventor 



Name 



DAVID EMERY 



Family Name VIRAG 
or Surname , 



Inventor's 
Signature 



Date 



Residence: City 
INDIANAPOLIS 



State__JW 
INDIANA 



Country 

'us 



Citizenship 



US 



Mailing Address 



Mailing Address 7485 CHERRY HILL DRIVE 



City 

INDIANAPOLIS 



State 
INDIANA 



ZIP 

46254-9769US 



Country 
US 



|^| Additional inventors are being named on the 1 supplemental Additional Inventor(s) sheet(s) PTO/SB/02A attached hereto. 
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Ptease type a plus stgn (+) inside this box 



0 



PTO/SB/01 (10-00) 
Approved for use through 10/31/2002. OMB 0651-0032 
U.S. Patent and Trademark Office; U.S. DEPARTMENT OF COMMERCE 
Under the Paperwork Reduction Act of 1995, no persons are required to respond to a collection of information unless it contains a valid OMB control number. 



DECLARATION — Utility or Design Patent Application 



Direct all correspondence to: Q Customer Number 

or Bar Code Label 




OR □ Correspondance address below 


Name 


JOSEPH S. TRIPOLI 


Address 


THOMSON MULTIMEDIA LICENSING INC. 


Address 


PO Box 5312 


City 

PRINCETON 


State 

NJ 


ZIP 

08543-5312 


Country 

USA 


Telephone 

(609) 734 - 9875 


Fax 

(609) 734 - 9700 


I hereby declare that all statements made herein of my own knowledge are true and that all statements made on information and belief are 
believed to be true; and further that these statements were made with the knowledge that willful false statements and the like so made are 
punishable by fine or imprisonment, or both, under 18 U.S.C. 1001 and that such willful false statements may jeopardize the validity of the 
application or any patent issued thereon. 


NAME OF SOLE OR FIRST INVENTOR: 


□ A petition has been filed fpr this unsigned inventor 


Given 

Name AHMET MURSIT 


Family Name ESKICIOGLU 
or Surname 


Inventor's 
Signature 


Date 


Residence: City 
INDIANAPOLIS 


State ^ 
Indiana 


Country 
US 


Citizenship 
TR 


Mailing Address 


Mailing Address .8235 LAKESHORE TRAIL, APT. #125 


City 

INDlANAPOLfS^ 


State 
INDIANA 


ZIP 

46250-4607 


Country 
US 


NAME OF SECOND INVENTOR: 


□ A petition has been filed for this unsigned inventor 


Given 

Name DAVID EMERY 


Family Name VIRAG 
or Surname 


Inventor's 
Signature 








Residence: City 
INDIANAPOLIS 


State ' 
INDIANA 


Country 
US 


Citizenship 

US 


Mailing Address 


Mailing Address 7485 CHERRY HILL DRIVE 


City 

INDIANAPOLIS 


State 
INDIANA 


ZIP 

462 54-9769 US 


Country 
US 


£^ Additional inventors are being named on the 1_ supplemental Additional lnventor(s) sheet(s) PTO/SB/02A attached hereto. 
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PTO/SB/02A (11-00) 

: * A Approtvedtfor^use ^0^9^.10/3^/^002.01^16 0651-0032 
■ U .S. PatenbandTrademark Office; U.S.^o|^H^M' T ? c fe C^tfM^Rr. 
Under the Paperwork Reduction Act of 1995, no persons are required to respond to a collection of information unless it contains* a validfoPftB control narnber.' 



Pfease type a plus sign {+) inside this box - 



DECLARATION 



ADDITIONAL INVENTOR(S) 

Supplemental Sheet 
Pagegofg 




x 



Mailing Address 



Mailing Address 



11 03 INDIANA PIPE LANE 



City 



ZiONSVILLE 



State 



INDIANA 



Name of Additional Joint Inventor, if any: 



Zip 



46077 



Country 



US 



□ A petition has been filed for this unsigned inventor 



Given Name (first and middle [if any]) 



BILLY WESLEY 

Inventor's 
Signature 



Family Name or Surname 



BEYERS, JR. 




Citizenship 



I 1Q ' 



Mailing Address 



Mailing Address 



1075 ARROW WOOD DRIVE 



CARMEL 



City 



INDIANA 



State 



Zip_ 



46033- 
9046 



US 



Country 



Burden Hour Statement: This form is estimated to take 21 minutes to complete. Time will vary depending upon the needs of the individual case. Any 
comments on the amount of time you are required to complete this form should be sent to the Chief Information Officer, U.S. Patent and Trademark 
Office, Washington, DC 20231. DO NOT SEND FEES OR COMPLETED FORMS TO THIS ADDRESS. SEND TO: Assistant Commissioner for Patents, 
Washington, DC 20231 . 



